[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

Senator Ron Wyden has sent a letter to Dana Deasy. (shown here) He is the CIO of the Department of Defense and earlier this week, Wyden asked him to adopt best practices to secure the department’s public web properties. Few of these sites use HTTPS and many have feeble authentication processes. “The DoD cannot continue these insecure practices,” Wyden said, noting that failing to heed these warnings “will erode the public’s trust in the department and its ability to defend against sophisticated cyber threats.” One of the websites cited was that of Deasy’s own office. As Wyden reminded him, per Office of Management and Budget guidelines, all public websites should be using HTTPS and deploying trusted digital certificates by now. Wyden asked for an action plan by the end of July. Other industries have been adopting HTTPS at a rapid clip, thanks to actions of Google, Let’s Encrypt and other major vendors in this area. It is unfortunate that the feds, and especially our defense agencies, can’t lead by example here.

Elsewhere on Capitol Hill, other senators were hearing testimony from a group that first appeared in 1998, the members of L0pht Heavy Industries hacking organization. (shown here) Here is the link to a recorded stream of this testimony. (Video quality is wanting but the audio is solid.)

In this week’s outing, they traded jokes about how little hair they now had. But there was a serious undertone to the reunion. A poorly recorded stream can be found here. The members were given nameplates with their nom de hacking both then and now, not just to be cute but because they were afraid of lawsuits. Back in 1998, they warned that computer networks were embarrassingly insecure and bragged that any one of them could take the entire Internet down in a few minutes, thanks to weaknesses in the core BGP routing protocols. In this week’s testimony, four of the group returned to say that while technology has improved, some things haven’t changed. The same BGP flaws were used to in the MEWkit attack earlier this month. Joe Grand (Kingpin) said, “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”

Since their trip to the Hill, they have mostly remained in cybersecurity. Some have founded security vendors or VARs, others conduct research for the government, and some have gone very corporate. Space Rogue, Cris Thomas, now works for IBM’s X Force for example.

They testified that state-sponsored hackers and international criminal organizations, once just a hypothetical menace, have emerged as a top digital threat to governments and companies around the world. Thomas said this week that “we have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources (10:00)… Strong encryption is more prevalent, but we aren’t applying the knowledge of how to make something secure evenly.” (12:00) (I have provided time codes keyed to the video stream, in case you are interested in tracking on your own.)

Chris Wysopal (Weld Pond) is now the CTO of CA/Vericode. He said, “There are so many more threat actors now. We have gone from teenagers to nation states doing the hacking.”

Peiter Zatko (Mudge) said that “while it feels better to buy the more complex security solution, it might have a larger attack surface and be more vulnerable.” (1:03:00)

If you have time to review either or both recorded streams, you can see how little we have accomplished in the 20 years, and how many of the L0pht warnings haven’t been acted on.

How does a customer support scammer operate? Here is a tale from MalwareBytes. The author, who works for the company, called a scammer and recorded the steps that he was taken through to diagnose his perfectly fine operating PC. During the call, the scammer never checked his system with any actual diagnostic tools and was just doing his best to scare the author into purchasing malware or a phony support plan. It is a sobering account. Lots more today, including some nifty open source tools for pen testers.

-- David Strom, editor of Inside Security

If you want a convenient list of tips to secure your web apps and servers, this is a nice one. There are suggestions for securing databases (such as encrypting data at rest), for improving authentication (use password rules and MFA), for DDoS protection (enforce limits on size and structure of user-submitted data requests), and numerous others, including creating a security incident plan. Well worth reviewing, even for experienced hands. – MICHAEL O’BRIEN @ MEDIUM

Subscribe to Inside Security

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

If you already use Burp Suite, you might be interested in this open source project called SleuthQL that can ferret out potential SQL injection vulnerabilities across your network. It works in conjunction with SQLmap and automates the discovery process. The project is written in Python, and looks for values that match SQL syntax. It can scan a variety of application code, including JSON and XML. – RHINO LABS

Researchers have been following a new botnet they have dubbed Brain Food. It has a PHP script that has compromised more than 5,000 servers and has gotten more active in the past week. It uses URL shorteners that lure users in and try to get them to purchase diet pills. The polymorphic script also contains several layers of obfuscation. -- PROOFPOINT

Roaming Mantis uses Android malware which is designed to spread via DNS hijacking. It initially targeted mostly Asian smartphones and will install a Trojan banking app. Since its discovery, it has expanded its reach to the rest of world, included iOS devices, added a Coinhive cryptominer and is available in 27 different languages. – SECURELIST

Greenwich University (UK) has been fined by the Information Commissioner £120,000 after a 2016 incident in which the personal details of nearly 20,000 staff, students and alumni were stolen in a breach. This is the first such fine from this office. If the incident had happened next week (after GDPR goes into effect), it could have been a much higher fine. – INFOSEC MAG

This researcher added some code to his SSH server to capture hacked password attempts and compiled the results. He got queries from all over the world (see map). Yes “123456” was at the head of the list. But if you want to try this experiment at home, he walks you through the steps involved. -- HACKERNOON

If you have passed on blockchain technology, take another look at private chains. Focus on how a distributed, immutable ledger with integrated analytics can reduce the friction, time and resources that impact the delivery of your organization’s products and services. This post goes into why private ones can be more useful. – ENTERPRISE TECH

If you are just starting to learn more about OAuth, you should review this post. The author has developed an open source tool called PwnAuth that is a web app framework to launch and manage OAuth abuse campaigns, so you can better test your authentication infrastructure and find weaknesses, particularly how typical users could respond to social engineering exploits. – FIREEYE BLOG

Trump’s usage of his cell phones (one exclusive for his Tweets, the other for normal activities) is highly insecure, according to this report. Obama had his phones checked for security breaches monthly, Trump not as often. Essentially, he is using burner phones. -- POLITICO

If you have noticed the blob of “randomart” that appears when you login via SSH, here is an explanation of how it works, why it is moderately useful, and how to roll your own. – BENJOJO BLOG

My highlighted podcast for this week is from IBM and features Joe Gray. He is a senior security architect with the company, talking about social engineering attacks and how they work and how you can prevent them. Also, if you need to report a data breach or other cyber attack to the feds, this handy reference guide from CyberSecurity Magazine can help. It lists contacts for the major relevant agencies, including Homeland Security, the FBI, US CERT and others.

The Kela Group raised a $50M funding round, led by Vector Capital. It is based in Tel Aviv and has a real-time cyber threat management solution. Its CEO is Nir Barak.

Auth0 today announced a $55M Series D funding round, led by Sapphire Ventures. The Seattle-area firm sells authentication and identity solutions and its CEO is Eugenio Pace.

Tanium raised a $175M funding round led by TPG. The firm is based in the Bay Ara and does EDR. Its CEO is Orion Hindawi.

RunSafe Security announced the closing of its $2.4M seed funding round led by Alsop Louise Partners. The DC-area firm has developed security for embedded systems and its CEO is Joe Saunders.

Researchers have found a new variation of the Mirai malware that features three exploits to target unpatched IoT endpoints. Called Wicked, it relies on known bugs to perform remote code execution (illustrated here) or command injection, depending on the device it is trying to attack. – FORTINET LABS

Throughout 2016, the Pakistani hacking group Mythic Leopard used custom .NET downloaders to acquire basic system information and download additional payloads to infected hosts. This post dives into their operation and dissects some of the malware they produced. – CROWDSTRIKE BLOG

Here is how a simple code obfuscation technique called Base64 works. Originally used for sending emails over the web, it is now commonly used to hide malicious payloads of malware. It takes three 8-bit ASCII characters and turns into four 6-bit characters. – IMPERVA BLOG

Here are five simple steps you can take to beef up your threat detection activities. They include looking at the bigger picture, making sure your have a comprehensive census of your servers, and leveraging human detection with machine learning tools. – ALERT LOGIC BLOG

A new variant of the Crysis/Dharma Ransomware has been discovered by a security researcher. This ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. Moreover, it will delete all of the shadow volume copies too. Have your backups in order. – BLEEPING COMPUTER